CVE-2004-0323 - Multiple SQL injection vulnerabilities in XMB 1.8 Final SP2 allow remote attackers to inject arbitra

CVE-2004-0323

Summary

Multiple SQL injection vulnerabilities in XMB 1.8 Final SP2 allow remote attackers to inject arbitrary SQL and gain privileges via the (1) ppp parameter in viewthread.php, (2) desc parameter in misc.php, (3) tpp parameter in forumdisplay.php, (4) ascdesc parameter in forumdisplay.php, or (5) the addon parameter in stats.php. NOTE: it has also been shown that item (3) is also in XMB 1.9 beta.

References

Vulnerable Configurations

cpe:2.3:a:xmb_forum:xmb:1.8_sp1:*:*:*:*:*:*:*
cpe:2.3:a:xmb_forum:xmb:1.8_sp1:*:*:*:*:*:*:*
cpe:2.3:a:xmb_forum:xmb:1.8_sp2:*:*:*:*:*:*:*
cpe:2.3:a:xmb_forum:xmb:1.8_sp2:*:*:*:*:*:*:*
cpe:2.3:a:xmb_forum:xmb:1.8:*:*:*:*:*:*:*
cpe:2.3:a:xmb_forum:xmb:1.8:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 29-04-2021 - 15:15)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

refmap via4

bid	9726
bugtraq	20040223 [waraxe-2004-SA#004] - Multiple vulnerabilities in XMB 1.8 Partagium Final SP2 20040225 Re: [waraxe-2004-SA#004] - Multiple vulnerabilities in XMB 1.8 Partagium Final SP2 20040326 [waraxe-2004-SA#012 - Multiple vulnerabilities in XMB Forum 1.8 SP3 and 1.9 beta]
confirm	http://www.xmbforum.com/community/boards/viewthread.php?tid=746859
xf	xmb-multiple-sql-injection(15295)

statements via4

contributor
lastmodified	2008-12-11
organization	XMB
statement	XMB versions 1.9.8 SP2 and later were checked and are not vulnerable.

Last major update

29-04-2021 - 15:15

Published

31-12-2004 - 05:00

Last modified

29-04-2021 - 15:15